Train or notify users to not delete the files/folders that are copied from the SourcePath.

Sep 27, 2016 at 8:26 PM
Hi pcooper,

I came across your work in Ransomware detection, it sound exiting to get this going.

But now I'm a bit worried about the impact for the end-users.
Does every subfolder in my file-server share(s) gets these 'files' that the end-users will see?

Thanks,
Jimmy
Nov 19, 2016 at 1:02 AM
Edited Nov 19, 2016 at 1:05 AM
Yes. I would make a folder called "LeaveAlone" or something like that. You place an example file of each file type in that folder and set the folder just above LeaveAlone as the source folder. You notify your users to leave this folder alone, no deleting, moving, or editing files. You will get a few false positives, but if you notify users ahead of time and right after they accidentally make a mistake then the false positives decrease over time. You get to have peace of mind with your file shares and know when or if your shares become compromised.
Nov 19, 2016 at 1:04 AM
I haven't had any false positives in a few months now. It took some work, but we got there.